On 28 January, regulators and organisations around the world acknowledge Data Privacy Day. In this article, we consider the importance of establishing good data protection practices and explain the fundamental building blocks of an effective privacy framework.
28 January marks the anniversary of the signing of the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), the first legally binding international treaty on data protection. In the four decades since the convention was opened for signature, it has been signed or ratified by more than 50 countries. During the same time, the legal landscape for data protection has changed dramatically – and it continues to evolve. There are now more than 120 countries with national data protection laws and that number continues to grow at a rapid pace.
Establishing good data protection practices
In addition to high-profile international legislation such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Protection Act (CCPA), many of the world’s emerging economies are developing and implementing laws to protect personal information and impose obligations on parties that collect, hold and use such information. These laws typically share common themes and principles that collectively embody good data protection practice.
The COVID-19 crisis has been an additional factor in bringing data privacy issues to the forefront of corporate agendas. With public and private organisations having to adopt necessary measures to prevent the spreading of the virus and mitigate the effects, including accommodating a work-from-home environment for their employees and collecting personal information about employees’ health and travel, many such measures have raised privacy and security concerns and questions about how organisations are handling personal data. We encourage all organisations to work towards best international practices in the area of data protection regardless of the current status of laws in their home territory. Even where there is no express legislation on data privacy, it is increasingly necessary to evidence good data protection practices when dealing with international business partners and customers.
Our key tips for enterprises include:
Implement an effective information governance strategy
A methodical approach to data management is important for organisations to keep track of inward and outward data flows. It is also a fundamental requirement of most regulatory regimes to document data processing and decisions made by the organisation.
Consider your supply chain risks
It is critical to maintain oversight of third party service providers and data processors. Data protection laws often hold the original collecting party responsible for safeguarding personal data – even if the information has subsequently been shared with other parties.
Understand your legal obligations
In a rapidly-changing legal landscape, it is important to stay ahead of developments in law and regulation. In the last 12 months, we have seen new laws passed in Egypt, South Africa, Dubai and elsewhere, along with consultations on new legislation in countries including Pakistan and China. Data processing often crosses physical country borders – particularly with the rise of cloud-based computing – and organisations need to understand which rules apply and how to comply with them.
Communicate with your consumers
For those organisations that handle high volumes of consumer data, it is important to ensure that they have in place good response procedures to enable them to handle requests from consumers about their data in an efficient and effective way. Consumers are becoming increasingly aware of their data privacy rights and active about contacting companies to find out more about the type of data that companies hold about them. Knowing how to handle such communications sensitively and in compliance with applicable data protection laws will help an organisation foster consumer trust.
Establish a culture of data protection
Another critical component of ensuring effective data protection within an organisation is to establish a strong privacy culture among the workforce. Building an enterprise-wide appreciation of good information security practices requires a combination of senior level buy-in and a commitment to continuous learning.
Consider IT security and controls
Privacy practices can be built into organisations through adoption of information security frameworks, such as the NIST Privacy Framework or the ISO/IEC 27701 International Standard for Privacy Information Management. The standards establish key controls and provide a tool for monitoring privacy compliance across an organisation.
Adopt effective data breach response measures
Loss or unauthorized access to personal data can have significant reputational and financial consequences. With many communications and interactions having moved online, particularly during the COVID-19 pandemic, companies are even more vulnerable to data breaches. Alongside a robust security framework, organisations should consider the procedure that they have in place to deal with data breaches. Certain countries require data breaches to be notified to data protection authorities and, in some cases, to the affected individuals.
As data privacy and data protection continues to sweep the globe, now is the time for organisations to put greater emphasis on their data processing practices. Managing the risks associated with data processing is a significant undertaking for any organisation, and is only going to increase in complexity with the growing focus from regulators, rising pressure from the marketplace to improve the data management and the increasing amounts of data concerning individuals that businesses hold.
An organisational shift towards a culture of respect for privacy rights and an understanding of good data protection practice takes time and patience. However, an effective privacy framework will mitigate the risk of fines and other sanctions under existing data protection laws, enable more efficient and compliant cross-border data sharing, create a basis for compliance with future legislation and help an organisation to establish trust when it comes to the handling of customer and employee data.